jon ⚝ almereyda

Deploying Traefik using forward proxy mode with Authentik

This is an example guide how to deploy Authentik with Traefik in forward auth proxy mode - that means that any application behind the proxy will be automatically authenticated by Traefik. This allows better reuse of code and completely moves user management to Traefik & Authentik.

In this guide we use custom DNS to make the requests nicer and to show that it works with DNS. So step #1 is to put following records to your /etc/hosts (for example by sudo nano /etc/hosts and adding these values)

Initial checks

Start by checking that there aren't any previous ssh keys inside the FIDO2 authenticator of your YubiKey. You can check if they exist by running the command below:

nix shell nixpkgs#yubikey-manager -c ykman fido credentials list

If the command above outputs a string mentioning "ssh" or "openssh", then you have already got a key generated and store on your YubiKey.

Evaluating additional authentication factors

Before generating a new ssh key to store on your YubiKey you must consider which additional required authentication factors you want to use. Below you can see a table with the available factors and their corresponding command:

Prerequisites

kubectl

Install the required tools for deploying and controlling k3s.

Installation Docs:

# Download
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"

GitHub Stars

Starred by @upsetbit (cai.).

	import { serve } from "https://deno.land/[email protected]/http/server.ts";

	serve(async (request) => {
	const worker = new Worker(new URL("./worker.ts", import.meta.url).href, {
	type: "module",
	name: "worker-" + (100 * Math.random()).toFixed(),
	});

	const data = await request.json();

	# You need to set PROVIDERS_GOOGLE_CLIENT_ID, PROVIDERS_GOOGLE_CLIENT_SECRET,
	# and to set DOMAIN and EMAIL in environment
	# (e.g. DOMAIN=selfhosted.example.com [email protected] docker compose up)
	# The EMAIL will be used in a letsencrypt certificate, and will be the only user able to log in initially.

	version: '3'

	services:
	reverse-proxy:
	# Use Traefik for routing and certificate handling.

	#!/usr/bin/env bash

	set -xe

	debug="false"
	wait="true"
	time2wait=3

	CLOUD_IMG_FOLDER="$HOME/Documents/isos"
	POOL_FOLDER="/var/lib/libvirt/images"

	local wezterm = require 'wezterm';
	return {
	color_scheme = "Dracula",
	-- colors = {
	-- background = "#0c0e14",
	-- },
	window_decorations = "NONE",
	font = wezterm.font("Iosevka"),
	font_size = 10.0,
	-- dpi = 192.0,

	# Full NixOS configuration for a ZFS server with full disk encryption hosted on Hetzner.
	# See <https://mazzo.li/posts/hetzner-zfs.html> for more information.

	{ config, pkgs, ... }:
	let
	# Deployment-specific parameters -- you need to fill these in where the ... are

	hostName = "...";
	publicKey = "...";
	# From `ls -lh /dev/disk/by-id`

	{
	repository(owner: "microsoft", name: "powertoys") {
	issues(first: 100, states: OPEN) {
	totalCount
	pageInfo {
	startCursor
	hasNextPage
	endCursor
	}
	edges {